1. Field of the Invention
The present invention relates to a computer program product, system, and method for generating master and wrapper keys for connected devices in a key generation scheme.
2. Description of the Related Art
Self-Encryption Devices (SEDs) comprise storage devices that maintain stored data in encrypted form to provide protection for user data at rest. An SED may maintain a master key used to encrypt and decrypt data in the SED, and maintain the master key cryptographically wrapped or encapsulated with an externally provided wrapper key. For security purposes, immediately after using the wrapping key, the SED device disposes of the wrapper key and erases all traces of the wrapper key from memory. Upon power-up cycle, the wrapper key needs to be resubmitted to the SED device to unlock the wrapped master key in the SED.
In a system that deploys SED devices supporting a Trusted Computing Group (TCG) protocol, there may be multiple hierarchies of devices between the system's controller and the SEDs. An example of such hierarchy is the use of Redundant Array of Independent Disk (RAID) controllers with the system controller on one end, and the SED devices on another end. In such a system there are commonly multiple RAID controllers and each RAID controller interfaces with multiple SED devices.
Each of the devices in the hierarchy, including the RAID controllers and SED devices, may use a same wrapper key, which the SEDs receive from the RAID Controllers and use to wrap their master key. Alternatively, there may be multiple different wrapper keys for the devices in the hierarchy, including the RAID controllers and SED storage devices. However, the use of different wrapper keys requires that information on all the different wrapper keys be maintained at one location so they can be supplied to the devices when needed to encrypt or decrypt the master key.
There is a need in the art for improved techniques for generating and managing encryption keys in a hierarchy of devices.